AEPD - E/03276/2021
|AEPD - E/03276/2021|
|Relevant Law:||Article 6(1)(a) GDPR|
Regulation 1024/2012 (IMI Regulation)
Article 21(1) LSSI
Article 22(2) LSSI
|Parties:||ALDANITI INTERNATIONAL NETWORK, LTD|
|National Case Number/Name:||E/03276/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
The Spanish DPA was not able to launch a sanction procedure because the ICO did not send any information following their cooperation request in the IMI, despite having accepted the case. After Brexit, the Spanish authority decided to archive the case.
English Summary[edit | edit source]
Facts[edit | edit source]
The Spanish DPA (AEPD) received a complaint regarding a website that was sending spam to them, and that additionally placed cookies without consent (or possibility of opposing) when visiting their site. This website (pulpower.com/es/) is owned by a British marketing company, Aldaniti International Network LTD.
Given that the mentioned company doesn't have any premises or establishments in Spain, and therefore has no Spanish Tax number or any related information, the AEPD submitted a request to the Internal Market Information System (IMI), following the Regulation 1024/2012 (IMI Regulation). In August 2019, the ICO accepted the case, and subsequently the AEPD provisionally archived their own case.
However, the Spanish DPA did not receive any update on the case within the IMI request upon the entry into effect of Brexit, that implies that the United Kingdom is not any more a Member State of the European Union and is therefore nor affected by or part of European regulations.
Holding[edit | edit source]
The AEPD concluded that, given the fact Brexit, that implies that the United Kingdom is not any more a Member State of the European Union and is therefore nor affected by or part of European regulations, the authority will not be able to identify the controller, which is required by Spanish law for sanction procedures.
The Spanish Tax authority did not hold any data on the controller either and therefore it was not possible to launch a sanction procedure against it.
For this reason, the AEPD decided to archive the case.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/3 Procedure Nº: E / 03276/2021 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: The claim filed by Mr. A.A.A. (hereinafter, the claimant) has entry dated March 29, 2019, in the Spanish Protection Agency of data. The claim is directed against ALDANITI INTERNATIONAL NETWORK, LTD, (in ahead, the claimed one). The claim indicates the following: “I received an email from pulpower to confirm my subscription, as I had not done no management, delete the mail that I have now been able to recover, as it turns out that without accept that subscription that I also do not make, I begin to receive spam, not only do I not I have subscribed, nor confirmed that email that they sent me, but I am subscribed in the Robinson list, attached certificate certifying it. I request the opening of sanctioning file. Thank you". It all started with a confirmation email of a supposed registration in the system, and He continued with emails where he was offered "tokens" to exchange for gifts. The claimant does not acknowledge having ever registered in the services of the person in charge, and, In addition, your email is listed on ADigital's Robinson list. In the second letter it is denounced that, in the aforementioned web portal, "cookies" with the mere visit to the page, and no way is offered not to provide or revoke consent to said treatment. SECOND: The Subdirectorate General for Data Inspection, learned of the following points and carried out these actions: It was verified that the person responsible for the treatment and owner of the web PULPOWER.COM is ALDANITI INTERNATIONAL NETWORK LTD, established in the UK. The claim was incorporated into the "Internal Market Information System" (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (Regulation IMI), whose objective is to promote cross-border administrative cooperation, the mutual assistance between Member States and the exchange of information; with IMI number 69346 and dated June 17, 2019. One month is given at authorities to manifest. On August 24, 2019: the data protection control authority in the United Kingdom (ICO) they accept the case, making a provisional file. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/3 When the time for Brexit to take effect, ICO has not made any action on the claim incorporated into IMI. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II Prior to the initiation of sanctioning actions, it is necessary to identify the presumed responsible for the administrative offense. Article 64 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, referring to the Initiation Agreement in the procedures of a sanctioning nature, establishes the following: "1. The initiation agreement will be communicated to the instructor of the procedure, with transfer of how many actions exist in this regard, and the interested parties will be notified, understanding in any case the accused as such. Likewise, the initiation will be communicated to the complainant when the rules governing the procedure so provide. 2. The initiation agreement must contain at least: a) Identification of the person or persons allegedly responsible. ... " In order to be able to initiate sanctioning actions, the Agency has been requested State Tax Administration if there was any NIF associated with the entity claimed, for identification. The State Tax Administration Agency has responded to the Spanish Agency of Data Protection that has not been able to locate any NIF related to the claimed entity. Therefore, although the claim presented, if detrimental to the possible prescription of the infringements claimed, could constitute an infringement of the regulations of data protection, it is not possible to initiate sanctioning actions due to not having Tax identification of the alleged person responsible. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED WITH THE FILING of these actions. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/3 SECOND: NOTIFY this resolution to the claimant. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es